"NT Authority" mapping failures

Jeremy Allison jra at samba.org
Tue Nov 27 17:31:40 UTC 2018 

On Tue, Nov 27, 2018 at 06:26:42PM +0100, Ralph Böhme wrote:
> Hi Jeremy,
> 
> I came across this ancient gem: :)
> 
> 0492effcf36bc1229d0d2e9250b6c6c36af0b117
> 
> By chance, do you remember the reasoning for ignoring mapping failures with
> these two domain?

Historically we didn't map Creator_Owner_Domain to a valid uid
(as it should have gotten changed to the creator uid/gid).

> I'm asking because I just stumbled across that currently mapping users and
> groups from "NT Authority" fails. I discovered this (though I fainlty
> remember I ran into this before) when modifying CI to run raw.acls tests
> against the enhanced vfs_nfs4acl_xattr module.
> 
> Most test failed because lookupname "NT Authority/Authenticated Users" isn't
> working. I have a WIP patch to fix this (attached) and while poking around I
> came across the above commit that paves above such mapping failures in the
> posix_acls.c code.
> 
> Thoughts? :)

It's the conversion of SID->uid/gid for meta-sids that have no POSIX
meaning that I was avoiding here.

Didn't want the POSIX ACL set to fail if it couldn't convert
a SID->uid/gid for an ACE entry that couldn't be represented
in a POSIX ACE entry.

No reason winbindd shouldn't handle them, so long as it doing
so doesn't break the conversion of Windows ACL -> POSIX ACL.

That's what I remember :-).

Jeremy.


> -- 
> Ralph Boehme, Samba Team                https://samba.org/
> Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
> GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

> From f4663336ad11e8507ec771f91d0820fbebc91ab2 Mon Sep 17 00:00:00 2001
> From: Ralph Boehme <slow at samba.org>
> Date: Tue, 27 Nov 2018 17:05:58 +0100
> Subject: [PATCH] WIP: winbindd: handle "NT Authority"
> 
> Without this:
> 
>   $ bin/wbinfo -n "NT Authority/Authenticated Users"
>   failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>   Could not lookup name NT Authority/Authenticated Users
> 
>   $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
>   failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
>   Could not get info for group NT Authority/Authenticated Users
> 
> With the patch:
> 
>   $ bin/wbinfo -n "NT Authority/Authenticated Users"
>   S-1-5-11 SID_WKN_GROUP (5)
> 
>   $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
>   NT AUTHORITY/authenticated users:
> ---
>  source3/winbindd/winbindd_util.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
> index 090a90574ce..e4af81ea868 100644
> --- a/source3/winbindd/winbindd_util.c
> +++ b/source3/winbindd/winbindd_util.c
> @@ -1516,11 +1516,12 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
>  struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
>  {
>  	if ( strequal(domain_name, unix_users_domain_name() ) ||
> -	     strequal(domain_name, unix_groups_domain_name() ) )
> +	     strequal(domain_name, unix_groups_domain_name() ) ||
> +	     strequal(domain_name, "NT Authority"))
>  	{
>  		/*
> -		 * The "Unix User" and "Unix Group" domain our handled by
> -		 * passdb
> +		 * The "Unix User", "Unix Group" and "NT Authority" domains our
> +		 * handled by passdb
>  		 */
>  		return find_domain_from_name_noinit( get_global_sam_name() );
>  	}
> -- 
> 2.17.2
>

More information about the samba-technical mailing list